Minimum Permissions Required for Account Used to Join Computers to a Domain During OS Deployment

This account can be used during either MDT Lite Touch deployments using MDT or Zero Touch Deployments via SCCM.

The account requires the following permissions delegated on the OU’s/domain required using the Delegation of Administration wizard or (as in this example) by directly changing the security on particular OUs within the domain.

The account SHOULD NOT be given “Domain Admins” privileges.

In this example I will use a domain account called “CM_DJ” (short for ConfigMgr Domain Join) which starts out with no special permissions other than being a member of “Domain Users”. The account should be restricted from logging into computers via a GPO using the “Allow log on locally” User Rights Assignment item.

In order to view the Security tab in Active Directory Users and Computers enable “View Advanced Features” from the view menu.


The bullet points below summarise what permissions are required during deployment activities:

  • Add/Remove new computers (“Bare Metal” scenarios)
  • Update existing ones (“Refresh” scenarios)

Open the security tab of the OU you want to give permissions on – this can be done at the domain level if required but for security reasons it is best to limit this to certain parts of Active Directory.

Right-Click the relevant OU and select Properties.

Navigate to the Security tab.

Click on “Advanced“.

Click on “Add” and browse to your account e.g. TESTLAB\CM_DJ (DomainName\JoinAccount)

Choose the following settings:

Choose “This object and all descendant objects

  • Create Computer Objects
  • Delete Computer Objects


Click “OK

Click “Add” again and once more select the “JoinAccount” user.

This time, limit the “Apply Onto” scope to “Descendant Computer objects” and choose the following settings:

  • Read All Properties
  • Write All Properties
  • Read Permissions
  • Modify Permissions
  • Change Password
  • Reset Password
  • Validated write to DNS host name
  • Validated write to service principle name



Once this has been done the “JoinAccount” (in this example TESTLAB\CM_DJ) will have the required permissions to add, modify and remove computer accounts in the locations you specify and nothing over and above that.

/ JC

## Edit 09/03/2017 ##

Updated to reflect the updated GUI in Windows Server 2012 and later.

## Edit 24/02/2015 ##

To automate this process, check out Johan Arwidmark’s blog where you can download a script that he and Mikael Nystrom wrote to automate the permissions required:

Script to Set AD Permissions for OSD


12 thoughts on “Minimum Permissions Required for Account Used to Join Computers to a Domain During OS Deployment

  1. Tony

    Thank you for this. I have been looking for minimal settings for hours now. Your page had exactly what i was looking for.

  2. London Lodge Reserving *

    I like the valuable information you supply to your articles.
    I will bookmark your weblog and take a look at once more right here frequently.
    I am relatively certain I’ll learn many new stuff proper right here! Good luck for the following!

  3. Olive

    You really make it seem so easy along with your presentation but I find this
    topic to be actually one thing which I think I might
    never understand. It sort of feels too complicated
    and extremely vast for me. I’m having a look ahead on your next publish, I will attempt to get the cling of it!

  4. Pingback: Permissions for MDT deployment account | Technology Librarian Does Stuff

  5. m88

    Wow, that’s what I was seeking for, what a material! existing here at
    this blog, thanks admin of this site.

  6. Pingback: Using Citrix PVS to stream Linux VDA (RHEL 7 Workstation) | magicalyak

  7. Pingback: Using Citrix PVS to stream Linux VDA (RHEL 7 Workstation) – magicalyak

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.